Symptoms

Applications or services that use the Secure Channel (SChannel) security support provider, such as Internet Explorer, may incorrectly negotiate to non-Microsoft website hosts by using the Transport Layer Security (TLS) protocol. Therefore, the affected application may not establish a connection or may be instructed to negotiate the use of a less-secure protocol such as Secure Sockets Layer protocol version 3.0 (SSL 3.0).

Cause

This issue occurs because some third-party implementations of the TLS protocol do not correctly negotiate when empty TLS extensions are present at the end of the extension list.

Note This update is offered only as a companion package to Internet Explorer 11. The update changes the TLS protocol renegotiation and fallback behavior.

Known issue

After you apply this update, when you use a Cisco AnyConnect Secure Mobility Client application to establish virtual private network (VPN) connections in Windows 8.1 or Windows Server 2012 R2, you receive the following error message:

References

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.